At the recent Chaos Communication Congress in Germany, a new alarm was raised about the threats posed by artificial intelligence agents. According to cybersecurity specialist Johann Rehberger , a computer running a system like Claude Code, GitHub Copilot, Google Jules , or similar solutions becomes immediately vulnerable to attacks that require no user interaction .
A single line on a web page or document is enough for an agent to receive malicious instructions.According to the demonstrations presented , AI assistants are particularly vulnerable to attacks through command injection in plain text queries.
One example was a website containing a single request to download a file. Claude, using a computer interaction tool, not only downloaded the file but also automatically made it executable, launched a terminal, and connected the device to the botnet.
These actions didn’t even require the user to press a key.
Rehberger emphasized that machine learning models possess significant capabilities, but are extremely vulnerable to attacks. He also emphasized that large companies like Anthropic do not independently address vulnerabilities in their agents’ logic, as they are intrinsic to the system’s architecture. Devices running AI tools should be considered compromised, especially if the agents have access to computer control functions.
During the presentation, several scenarios were illustrated in which agents execute malicious commands . One of these involved infection via split instructions hosted on different websites. Specifically, the Devin AI assistant, after receiving partial commands from two sources, deployed a web server, granted access to the user’s files, and sent a link to the attacker.
Rehberger also demonstrated a method for injecting invisible text using the ASCII Smuggler tool. These characters are undetectable in most text editors, but AI agents interpret them as commands. As a result, Google Jules and Antigravity executed the instructions, downloaded malware, and gained remote access to the system.
According to Rehberger, the new Gemini model is particularly effective at recognizing hidden characters, and this applies to all applications based on it. Even local agents like Anthropic Cloud Code or Amazon Developer can execute system commands, allowing them to bypass protection and access sensitive information.
The concept of an AI virus called AgentHopper was also presented. It spreads not through code, but through the interaction of AI agents. A malicious query is embedded in a repository, after which the agents copy it to other projects and forward it. The same query can be adapted to a specific AI assistant using conditional operators.
Rehberger said he used Gemini to create this virus model, emphasizing how much easier it is to write malware using modern AI tools.
In conclusion, the expert recommended never trusting the results of language models and minimizing agents’ access to system resources. He cited containerization, such as Docker, as an ideal solution, as well as completely disabling automatic command execution.
According to Rehberger, AI vendors openly admit that they can’t guarantee the security of their products. Therefore, the key lesson is to always assume the possibility of a system compromise.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
